Below is a quote from the "Supplementary Information" section of the final ruling (specifically is a response to commenterís on the initial draft of the regulation):
This may help clarify the intent . . .
"The Agencies believe it is important to retain a provision in the final rules addressing service providers to remind financial institutions and creditors that they continue to remain responsible for compliance with the final rules, even if they outsource operations to a third party. However, the Agencies have simplified the service provider provision in the final rules and moved the remaining parts of proposed ßl.90(d)(4) to the guidelines. Section l.90(e)(4) of the final rules provides that a covered entity must exercise appropriate and effective oversight of service provider arrangements, without further elaboration. This provision provides maximum flexibility to financial institutions and creditors in managing their service provider arrangements, while making clear that a covered entity cannot escape its obligations to comply with the final rules and to include in its Program those guidelines that are appropriate by simply outsourcing an activity.
Section VI(c) of the guidelines provides that, whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions and creditors may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The guidelines also provide an example of how a covered entity may comply with this provision. The guidelines state that a financial institution or creditor could require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service providerís activities and either report the Red Flags to the financial institution or creditor or take appropriate steps to prevent or mitigate identity theft."
Taken from page 16 of the Identity Theft Red Flags Final Rule
Russ Horn, CISA, CISSP CoNetrix Identity Theft Prevention Program online tool